malwarewikiaorg-20200223-history
Kido (Family)
Net-Worm.Win32.Kido '''or '''Kido '''is a network worm on Microsoft Windows that attempts to breach network accounts. Kido.ih '''Net-Worm.Win32.Kido.ih or Kido.ih is the first variant in this family, it spreads through Network connections and removable viruses. Installation The worm generates a random string of symbols, and creates files with that name. It is represented in this list by . %System%\ %Program Files%\Internet Explorer\.dll %Program Files%\Movie Maker\.dll %All Users Application Data%\.dll %Temp%\.dll %Temp%\.tmp After that, it will create the following registry key to ensure it is started on system bootup. HKLM\SYSTEM\CurrentControlSet\Services\netsvcs The worm also modifies the following registry key: NT\CurrentVersion\SvcHost "netsvcs" = " %System%\.dll" Distribution The worm creates a HTML server on a random TCP port. This is used to install the worm onto other computers. The worm then recieves a list of IP addresses of the computers in the same network as the victim machine. It then uses buffer overflow MS08-067 in the server service to attack said machines. When netapi32.dll executes the the wcscpy_s function, it will cause a buffer overflow allowing the malicious code to be run on the machine. It will then attempt to brute force the administrator account by using the passwords below. 99999999 9999999 999999 99999 88888888 8888888 888888 88888 8888 888 88 8 77777777 7777777 777777 77777 7777 777 77 7 66666666 6666666 666666 66666 6666 666 66 6 55555555 5555555 555555 55555 5555 555 55 5 44444444 4444444 444444 44444 4444 444 44 4 33333333 3333333 333333 33333 3333 333 33 3 22222222 2222222 222222 22222 2222 222 22 2 11111111 1111111 111111 11111 1111 111 explorer exchange customer cluster nobody codeword codename changeme desktop security secure public system shadow office supervisor superuser share super secret server computer owner backup database lotus oracle business manager temporary ihavenopass nothing nopassword nopass Internet internet example sample love123 boss123 work123 home123 mypc123 temp123 test123 qwe123 abc123 pw123 root123 pass123 pass12 pass1 admin123 admin12 admin1 password123 password12 password1 9999 999 99 9 11 1 00000000 0000000 00000 0000 000 00 0987654321 987654321 87654321 7654321 654321 54321 4321 321 21 12 fuck zzzzz zzzz zzz xxxxx xxxx xxx qqqqq qqqq qqq aaaaa aaaa aaa sql file web foo job home work intranet controller killer games private market coffee cookie forever freedom student account academia files windows monitor unknown anything letitbe letmein domain access money campus default foobar foofoo temptemp temp testtest test rootroot root adminadmin mypassword mypass pass Login login Password password passwd zxcvbn zxcvb zxccxz zxcxz qazwsxedc qazwsx q1w2e3 qweasdzxc asdfgh asdzxc asddsa asdsa qweasd qwerty qweewq qwewq nimda administrator Admin admin a1b2c3 1q2w3e 1234qwer 1234abcd 123asd 123qwe 123abc 123321 12321 123123 1234567890 123456789 12345678 1234567 123456 12345 1234 123 Spreading Routine The worm will find connected devices here as , and drop the file onto the disk. :\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx, It will also add information to autorun.inf to ensure the worm is always run when the removable device is plugged into the system. However if one edits the file or deletes it, the file cannot spread. Payload The worm injects its own code into one of the several svchost processes. It then does the following. * Disables the following services: wuauserv BITS * Blocks any addresses containing the following strings indowsupdate wilderssecurity threatexpert castlecops spamhaus cpsecure arcabit emsisoft sunbelt securecomputing rising prevx pctools norman k7computing ikarus hauri hacksoft gdata fortinet ewido clamav comodo quickheal avira avast esafe ahnlab centralcommand drweb grisoft eset nod32 f-prot jotti kaspersky f-secure computerassociates networkassociates etrust panda sophos trendmicro mcafee norton symantec microsoft defender rootkit malware spyware virus * Download files from the following URL. http:///search?q=<%rnd2%> * Retrieve the date and time using a special algorithm from the following addresses. http://www.w3.org http://www.ask.com http://www.msn.com http://www.yahoo.com http://www.google.com http://www.baidu.com Kido.ir Net-Worm.Win32.Kido.ir or Kido.ir is a virus that spreads through removable devices. Once a removable device is plugged into the infected system, it will implant the following code into the Autorun.inf file. AUTorUN AcTION = Open folder to view files icon =% syStEmrOot% \ sySTEM32 \ sHELL32.Dll, 4 OpEn = RunDll32.EXE. \ RECYCLER \ S-5-3-42- 2819952290-8240758988- 879315005-3665 \ jwgkvsq. vmx, ahaezedrn sHEllExECUTe = RUNdLl32.ExE. \ RECYCLER \ S-5-3-42-2819952290-8240758988-879315005-3665 \ jwgkvsq.vmx, ahaezedrn useAuTopLAY = 1 The autorun script prints the following sentence on the screen when the autorun.inf file is executed. Open folder to view files Trojan-Downloader.Win32.Kido.a This malicious program varies from other members of the Kido family, as it is not a Network worm, it is in fact a trojan downloader. ''' Behaviour First, it generates a random string and copies itself with the string as the name, here the random string is represented as %Program Files%\Internet Explorer\.dll %Program Files%\Windows Media Player\.dll %Program Files%\WindowsNT\.dll %Program Files%\Movie Maker\.dll %SpecialFolder%\.dll %System%\dir.dll %Temp%\.dll To ensure it is run on startup, it implants the following key into the registry. It also deletes the following keys, which will disable Action Center, safe mode and other secuirity solutions. HKLM\System\CurrentControlSet\Control\SafeBoot ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC} Defender It modifies the following key: NT\CurrentVersion\SvcHost "netsvcs" = "" The name of the service which is displayed on Task Manager is made out of the following strings. Policy Discovery Storage Power Logon Machine Browser Management Framework Component Trusted Backup Notify Audit Control Hardware Windows Update Universal Task Support Shell Security Network Monitor Microsoft Manager Installer Image Helper Driver Config Center Boot The name of the service which is displayed in Task Manager is made up of words from the list below: Time System svc Svc srv Srv Service Server serv prov mon mgmt man logon auto agent access It also includes words from this list: xml wuau wsc Wmi Wmdm win W32 Trk Tapi Sec Remote Ras Ntms Net Lanman Ias help Event Audio App The malware creates its own unique indentifier. Payload If the trojan does not find the following directories, the trojan will cease running, otherwise the trojan will continue running. Adobe Agent App Assemblies assembly Boot Build Calendar Collaboration Common Components Cursors Debug Defender Definitions Digital Distribution Documents Downloaded en Explorer Files Fonts Gallery Games Globalization Google Help IME inf Installer Intel Inter Internet Java Journal Kernel L2S Live Logs Mail Maker Media Microsoft Mobile Modem Movie MS msdownld NET New Office Offline Options Packages Pages Patch Performance Photo PLA Player Policy Prefetch Profiles Program Publish Reference Registered registration Reports Resources schemas Security Service Setup Shell Software Speech System Tasks Temp tmp tracing twain US Video Visual Web winsxs Works Zx The trojan will then look for and terminate the following services: Windows Automatic Update Service (wuauserv) Background Intelligent Transfer Service (BITS) Windows Security Center Service (wscsvc) Windows Defender Service (WinDefend, WinDefender) Windows Error Reporting Service (ERSvc) Windows Error Reporting Service (WerSvc) It modifies the original start value for these services: "Start" ="dword:0x00000004" The trojan injects its own code into the following executables svchost.exe explorer.exe (if injection into svchost.exe is not successful) services.exe (for Windows 2000) This code allows the payload to take place. The trojan then hooks API calls from dnsrslvr.dll to block access to the following domains. DNS_Query_A DNS_Query_UTF8 DNS_Query_W Query_Main sendto NetpwPathCanonicalize InternetGetConnectedState It blocks access to domains contaning the following strings vet. sans. nai. msft. msdn. llnwd. llnw. kav. gmer. cert. ca. bit9. avp. avg. windowsupdate wilderssecurity virus virscan trojan trendmicro threatexpert threat technet symantec sunbelt spyware spamhaus sophos secureworks securecomputing safety.live rootkit rising removal quickheal ptsecurity prevx pctools panda onecare norton norman nod32 networkassociates mtc.sri msmvps msftncsi mirage microsoft mcafee malware kaspersky k7computing jotti ikarus hauri hacksoft hackerwatch grisoft gdata freeav free-av fortinet f-secure f-prot ewido etrust eset esafe emsisoft dslreports drweb Defender cyber-ta cpsecure conficker computerassociates comodo clamav centralcommand ccollomb castlecops bothunter avira avgate avast arcabit antivir anti- ahnlab agnitum It terminates all processes containing the following strings: wireshark unlocker tcpview sysclean scct_ regmon procmon procexp ms08-06 mrtstub mrt. mbsa. klwk kido kb958 kb890 hotfix gmer filemon downad confick avenger autoruns It also blocks the following domains: netlog.com yandex.ru zedo.com doubleclick.com 2ch.net allegro.pl hi5.com seznam.cz ebay.com odnoklassniki.ru myspace.com go.com yahoo.com fastclick.com sourceforge.net comcast.net wikimedia.org miniclip.com mininova.org facebook.com adultadworld.com 4shared.com skyrock.com biglobe.ne.jp download.com youpo**.com adultfriendfinder.com nicovideo.jp rambler.ru foxnews.com terra.com.br zshare.net bigpoint.com yahoo.co.jp dell.com ziddu.com livejournal.com mixi.jp rediff.com youtube.com mywebsearch.com tube8.com xha******.com naver.com tribalfusion.com narod.ru hyves.nl xiaonei.com clicksor.com adsrevenue.net mail.ru files.wordpress.com tinypic.com ebay.it digg.com linkbucks.com imdb.com tagged.com nba.com msn.com blogfa.com recvfrom livedoor.com linkedin.com kaixin001.com reference.com megapo**.com torrentz.com orange.fr geocities.com pcpop.com paypopup.com fc2.com partypoker.com ask.com googlesyndication.com badongo.com goo.ne.jp aweber.com answers.com espn.go.com seesaa.net metroflog.com aim.com megaclick.com metacafe.com netflix.com sonico.com photobucket.com awempire.com depositfiles.com imageshack.us gougou.com po**hub.com mediafire.com typepad.com imeem.com perfspot.com 56.com soso.com ameba.jp friendster.com google.com tuenti.com imagevenue.com taringa.net badoo.com disney.go.com livejasmin.com multiply.com ucoz.ru flickr.com mapquest.com ameblo.jp pogo.com apple.com cricinfo.com ebay.co.uk studiverzeichnis.com vkontakte.ru wordpress.com rapidshare.com wikimedia.org icq.com xnxx.com veoh.com ning.com pconline.com.cn tudou.com sakura.ne.jp fotolog.net bbc.co.uk conduit.com vnexpress.net ebay.de craigslist.org live.com xvideos.c0m (.com) ioctlsocket tianya.cn alice.it bebo.com verizon.net megaupload.com kooora.com thepiratebay.org Main Payload It retrieves files from the following domain ( being a random number) http:///search?q=<%rnd2%> It will choose a domain from the list below. vn vc us tw to tn tl tj tc su sk sh sg sc ru ro ps pl pk pe no nl nf my mw mu ms mn me md ly lv lu li lc la kz kn is ir in im ie hu ht hn hk gy gs gr gd fr fm es ec dm dk dj cz cx cn cl ch cd ca bz bo be at as am ag ae ac com.ve com.uy com.ua com.tw com.tt com.tr com.sv com.py com.pt com.pr com.pe com.pa com.ni com.ng com.mx com.mt com.lc com.ki com.jm com.hn com.gt com.gl com.gh com.fj com.do com.co com.bs com.br com.bo com.ar com.ai com.ag co.za co.vi co.uk co.ug co.nz co.kr co.ke co.il co.id co.cr The trojan generates 50000 domain names every day, skipping the address groups below. 127.x.x.x 169.254.x.x x.198.x.x x.255.255.253 224-239.x.x.x 240-255.x.x.x Furthermore, the trojan blacklists 399 IP addresses linked to secuirity companies. It retrieves the date from one of the following domains. http://www.w3.org http://www.ask.com http://www.yahoo.com http://www.google.com http://www.baidu.com http://www.rapidshare.com http://www.imageshack.us http://www.facebook.com '''Other variants coming soon Sources *Kaspersky Labs, SecureList **IH VARIANT** *Kaspersky Labs, SecureList **IR VARIANT** *Kaspersky Labs, SecureList **A Variant** Category:Win32 Category:Network worm Category:Win32 worm Category:Trojan dropper Category:Worm Category:Microsoft Windows